Predictable Random Number Generation in Bytes::Random::Secure for Perl
CVE-2026-11625

Currently unrated

Key Information:

Vendor

Davido

Status
Bytes::random::secure
Vendor
CVE Published:
26 June 2026

What is CVE-2026-11625?

The Bytes::Random::Secure library for Perl exhibits a vulnerability where the internal state of the Pseudo-Random Number Generator (PRNG) is shared across forked processes when an object is initialized prior to forking, or when utilizing the functional interface. This results in identical random streams being generated across separate processes, leading to predictable outcomes for cryptographic operations. Consequently, secrets produced within multiprocess applications may be compromised, establishing a critical need for updates to the affected library versions.

Affected Version(s)

Bytes::Random::Secure 0 <= 0.29

References

https://github.com/daoswald/Bytes-Random-Secure/issues/3
issue-tracking
https://github.com/daoswald/Bytes-Random-Secure/pull/4
issue-tracking
https://security.metacpan.org/patches/B/Bytes-Random-Secu...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.